Upgrading Debian Debootstrap-MinBase Docker-Images from Buster to Bookworm: Repository not signed

Question

I am currently in the process of upgrading our docker-images from debian 10 (buster) to debian 12 (bookworm). We create our own base-images with debootstrap:

debootstrap --verbose --arch=amd64 --variant=minbase bookworm /foo/mount/ http://deb.debian.org/debian/

It looks like with the upgrade from buster to bookworm, debian changed something with how they are doing apt repository key signing, because since the upgrade I cannot execute apt update due to errors with unsigned repositories:

...
Step 7/12 : RUN apt -qy -o Dpkg::Progress-Fancy="0" install debian-archive-keyring
 ---> Running in d082b5ebac6c
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Reading package lists...
Building dependency tree...
debian-archive-keyring is already the newest version (2023.3+deb12u1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Removing intermediate container d082b5ebac6c
 ---> 495b216b0ff7
Step 8/12 : RUN apt --allow-releaseinfo-change update  && ...
 ---> Running in 800fc278cc6a
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Err:1 http://deb.debian.org/debian bookworm InRelease
  At least one invalid signature was encountered.
Reading package lists...
W: GPG error: http://deb.debian.org/debian bookworm InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.

Important snippets: debian-archive-keyring is already the newest version and The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.. I have already tried to install debian-archive-keyring as that is what is adviced online for this problem, but it looks like this is not working.

The only other advice I have seen is that I am supposed to download some keyfiles from random sites (like apparently the homepage of some dude or some *.edu sites), but that seems too shady for me. I'd prefer a solution that works with official debian resources.

Am I doing something wrong? Why does debootstrap generate an un-updatable base-system for me? How do I get the apt update command to work? Thank you for any help.